Back to skill

Security audit

CodivUpload Social Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly disclosed CodivUpload social publishing helper, but it can affect real social accounts if you give it an API key.

Install this only if you want an agent to act on connected CodivUpload social accounts. Use the narrowest API key scope available, preferably single-platform or per-workspace, avoid a global account key unless you truly need account or billing changes, verify the optional MCP package before installing it, and carefully review every approval prompt before publishing, bulk scheduling, starting livestreams, deleting, or changing account settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
77% confidence
Finding
The activation rules are broad enough to trigger on ordinary conversation involving generic terms like post, upload, reel, or schedule plus platform names. In an agentic environment with network/tool access, over-broad activation increases the chance the skill engages unexpectedly and proposes or performs actions against real social accounts when the user only intended discussion or drafting.

VirusTotal

46/46 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.